Usage
Option: -u
Run Arjun against a single URL.
arjun -u https://api.example.com/endpoint
Option: -m
Arjun looks for GET method parameters by default. All available methods are: GET/POST/JSON/XML
arjun -u https://api.example.com/endpoint -m POST
Option: -i
Arjun supports importing targets from BurpSuite, simple text file and raw request files. Arjun can automatically identify the type of input file so you just need to specify the path.
arjun -i targets.txt
Note: Uncheck the "base64" option while exporting items in Burp Suite.
Option: -oJ/-oB/-oT
You can export the result to BurpSuite or a txt/JSON file by using the respective option.
arjun -u https://api.example.com/endpoint -oJ result.json
-oJ result.json
-oT result.txt
-oB 127.0.0.1:8080
Arjun can detect parameters in a specified location when using JSON or XML method parameters by default. All available methods are: GET/POST/JSON/XML
arjun -u https://api.example.com/endpoint -m JSON --include='{"root":{"a":"b",$arjun$}}'
OR
arjun -u https://api.example.com/endpoint -m XML --include='<?xml><root>$arjun$</root>'
Option: -t
Arjun uses 2 threads by default but you can tune its performance according to your network connection and target allowance.
arjun -u https://api.example.com/endpoint -t 10
Option: -d
You can delay the request by using the -d option but it will also set the number of threads to 1.
arjun -u https://api.example.com/endpoint -d 2
Option: -T
You can specify the timeout for HTTP requests with the -T option, default is 15.
arjun -u https://api.example.com/endpoint -T 10
Option: --stable
--stable sets the number of threads to 1 and introduces a random delay of 6 to 12 seconds between requests.
arjun -u https://api.example.com/endpoint --stable
Option: --ratelimit
You can specify requests/sec with --ratelimit.
arjun -u https://api.example.com/endpoint --ratelimit 2
Option: --include
Let's say you have an API key that you need to send with every request, to tell Arjun to do that you can use the --include option as follows:
arjun -u https://api.example.com/endpoint --include 'api_key=xxxxx'
OR
arjun -u https://api.example.com/endpoint --include '{"api_key":"xxxxx"}'
To include multiple parameters, use & to separate them or pass them as a valid JSON object.
Option: -w
You can specify the path to your own wordlist with this option. Arjun comes with 3 word-lists out-of-the-box which can be used as -w small|medium|large, self-explanatory.
arjun -u https://api.example.com/endpoint -w /path/to/wordlist.txt
Option: -c
By default, Arjun includes 500 parameters in the request which can sometimes exceed the maximum URL length limit for some servers. You can handle such cases with the -c option by specifying the number of parameters to be sent at once.
arjun -u https://api.example.com/endpoint -c 250
Option: --disable-redirects
This switch will prevent Arjun to follow redirects on the target URL. It is recommended to use it only when you know what you are doing.
arjun -u https://api.example.com/redirects_to_api2 --disable-redirects
Option: --passive
You can collect parameter names for a domain (not subdomain) from CommonCrawl, Open Threat Exchange and WaybackMachine and check if they exist on your targets.
arjun https://api.example.com/endpoint --passive example.com
If you want to use the domain from the target URL, use --passive -. It only works for a single target.
Option: --casing
For detailed explanation and list of supported casing style, see: https://github.com/s0md3v/wl
arjun -u https://api.example.com/endpoint --casing foo_bar
Option: --headers
You can simply add custom headers from command line separated by \n as follows:
arjun -u https://api.example.com/endpoint --headers "Accept-Language: en-US\nCookie: null"
Using the --headers option without any argument will open your text editor (default is 'nano') and you can simply paste your HTTP headers there and press Ctrl + S to save.
Note: Arjun uses
nanoas the default editor for the prompt but you can change it by tweaking/core/prompt.py.